vtls.c 36 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. /* This file is for implementing all "generic" SSL functions that all libcurl
  23. internals should use. It is then responsible for calling the proper
  24. "backend" function.
  25. SSL-functions in libcurl should call functions in this source file, and not
  26. to any specific SSL-layer.
  27. Curl_ssl_ - prefix for generic ones
  28. Note that this source code uses the functions of the configured SSL
  29. backend via the global Curl_ssl instance.
  30. "SSL/TLS Strong Encryption: An Introduction"
  31. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  32. */
  33. #include "curl_setup.h"
  34. #ifdef HAVE_SYS_TYPES_H
  35. #include <sys/types.h>
  36. #endif
  37. #ifdef HAVE_SYS_STAT_H
  38. #include <sys/stat.h>
  39. #endif
  40. #ifdef HAVE_FCNTL_H
  41. #include <fcntl.h>
  42. #endif
  43. #include "urldata.h"
  44. #include "vtls.h" /* generic SSL protos etc */
  45. #include "slist.h"
  46. #include "sendf.h"
  47. #include "strcase.h"
  48. #include "url.h"
  49. #include "progress.h"
  50. #include "share.h"
  51. #include "multiif.h"
  52. #include "timeval.h"
  53. #include "curl_md5.h"
  54. #include "warnless.h"
  55. #include "curl_base64.h"
  56. #include "curl_printf.h"
  57. /* The last #include files should be: */
  58. #include "curl_memory.h"
  59. #include "memdebug.h"
  60. /* convenience macro to check if this handle is using a shared SSL session */
  61. #define SSLSESSION_SHARED(data) (data->share && \
  62. (data->share->specifier & \
  63. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  64. #define CLONE_STRING(var) \
  65. if(source->var) { \
  66. dest->var = strdup(source->var); \
  67. if(!dest->var) \
  68. return FALSE; \
  69. } \
  70. else \
  71. dest->var = NULL;
  72. bool
  73. Curl_ssl_config_matches(struct ssl_primary_config* data,
  74. struct ssl_primary_config* needle)
  75. {
  76. if((data->version == needle->version) &&
  77. (data->version_max == needle->version_max) &&
  78. (data->verifypeer == needle->verifypeer) &&
  79. (data->verifyhost == needle->verifyhost) &&
  80. (data->verifystatus == needle->verifystatus) &&
  81. Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
  82. Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
  83. Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
  84. Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
  85. Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
  86. Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
  87. Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
  88. return TRUE;
  89. return FALSE;
  90. }
  91. bool
  92. Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
  93. struct ssl_primary_config *dest)
  94. {
  95. dest->version = source->version;
  96. dest->version_max = source->version_max;
  97. dest->verifypeer = source->verifypeer;
  98. dest->verifyhost = source->verifyhost;
  99. dest->verifystatus = source->verifystatus;
  100. dest->sessionid = source->sessionid;
  101. CLONE_STRING(CApath);
  102. CLONE_STRING(CAfile);
  103. CLONE_STRING(clientcert);
  104. CLONE_STRING(random_file);
  105. CLONE_STRING(egdsocket);
  106. CLONE_STRING(cipher_list);
  107. CLONE_STRING(cipher_list13);
  108. return TRUE;
  109. }
  110. void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
  111. {
  112. Curl_safefree(sslc->CApath);
  113. Curl_safefree(sslc->CAfile);
  114. Curl_safefree(sslc->clientcert);
  115. Curl_safefree(sslc->random_file);
  116. Curl_safefree(sslc->egdsocket);
  117. Curl_safefree(sslc->cipher_list);
  118. Curl_safefree(sslc->cipher_list13);
  119. }
  120. #ifdef USE_SSL
  121. static int multissl_init(const struct Curl_ssl *backend);
  122. #endif
  123. int Curl_ssl_backend(void)
  124. {
  125. #ifdef USE_SSL
  126. multissl_init(NULL);
  127. return Curl_ssl->info.id;
  128. #else
  129. return (int)CURLSSLBACKEND_NONE;
  130. #endif
  131. }
  132. #ifdef USE_SSL
  133. /* "global" init done? */
  134. static bool init_ssl = FALSE;
  135. /**
  136. * Global SSL init
  137. *
  138. * @retval 0 error initializing SSL
  139. * @retval 1 SSL initialized successfully
  140. */
  141. int Curl_ssl_init(void)
  142. {
  143. /* make sure this is only done once */
  144. if(init_ssl)
  145. return 1;
  146. init_ssl = TRUE; /* never again */
  147. return Curl_ssl->init();
  148. }
  149. /* Global cleanup */
  150. void Curl_ssl_cleanup(void)
  151. {
  152. if(init_ssl) {
  153. /* only cleanup if we did a previous init */
  154. Curl_ssl->cleanup();
  155. init_ssl = FALSE;
  156. }
  157. }
  158. static bool ssl_prefs_check(struct Curl_easy *data)
  159. {
  160. /* check for CURLOPT_SSLVERSION invalid parameter value */
  161. const long sslver = data->set.ssl.primary.version;
  162. if((sslver < 0) || (sslver >= CURL_SSLVERSION_LAST)) {
  163. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  164. return FALSE;
  165. }
  166. switch(data->set.ssl.primary.version_max) {
  167. case CURL_SSLVERSION_MAX_NONE:
  168. case CURL_SSLVERSION_MAX_DEFAULT:
  169. break;
  170. default:
  171. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  172. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  173. return FALSE;
  174. }
  175. }
  176. return TRUE;
  177. }
  178. static CURLcode
  179. ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
  180. {
  181. DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
  182. if(ssl_connection_complete == conn->ssl[sockindex].state &&
  183. !conn->proxy_ssl[sockindex].use) {
  184. struct ssl_backend_data *pbdata;
  185. if(!(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY))
  186. return CURLE_NOT_BUILT_IN;
  187. /* The pointers to the ssl backend data, which is opaque here, are swapped
  188. rather than move the contents. */
  189. pbdata = conn->proxy_ssl[sockindex].backend;
  190. conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
  191. memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
  192. memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
  193. conn->ssl[sockindex].backend = pbdata;
  194. }
  195. return CURLE_OK;
  196. }
  197. CURLcode
  198. Curl_ssl_connect(struct connectdata *conn, int sockindex)
  199. {
  200. CURLcode result;
  201. if(conn->bits.proxy_ssl_connected[sockindex]) {
  202. result = ssl_connect_init_proxy(conn, sockindex);
  203. if(result)
  204. return result;
  205. }
  206. if(!ssl_prefs_check(conn->data))
  207. return CURLE_SSL_CONNECT_ERROR;
  208. /* mark this is being ssl-enabled from here on. */
  209. conn->ssl[sockindex].use = TRUE;
  210. conn->ssl[sockindex].state = ssl_connection_negotiating;
  211. result = Curl_ssl->connect_blocking(conn, sockindex);
  212. if(!result)
  213. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  214. return result;
  215. }
  216. CURLcode
  217. Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
  218. bool *done)
  219. {
  220. CURLcode result;
  221. if(conn->bits.proxy_ssl_connected[sockindex]) {
  222. result = ssl_connect_init_proxy(conn, sockindex);
  223. if(result)
  224. return result;
  225. }
  226. if(!ssl_prefs_check(conn->data))
  227. return CURLE_SSL_CONNECT_ERROR;
  228. /* mark this is being ssl requested from here on. */
  229. conn->ssl[sockindex].use = TRUE;
  230. result = Curl_ssl->connect_nonblocking(conn, sockindex, done);
  231. if(!result && *done)
  232. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  233. return result;
  234. }
  235. /*
  236. * Lock shared SSL session data
  237. */
  238. void Curl_ssl_sessionid_lock(struct connectdata *conn)
  239. {
  240. if(SSLSESSION_SHARED(conn->data))
  241. Curl_share_lock(conn->data,
  242. CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  243. }
  244. /*
  245. * Unlock shared SSL session data
  246. */
  247. void Curl_ssl_sessionid_unlock(struct connectdata *conn)
  248. {
  249. if(SSLSESSION_SHARED(conn->data))
  250. Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION);
  251. }
  252. /*
  253. * Check if there's a session ID for the given connection in the cache, and if
  254. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  255. */
  256. bool Curl_ssl_getsessionid(struct connectdata *conn,
  257. void **ssl_sessionid,
  258. size_t *idsize, /* set 0 if unknown */
  259. int sockindex)
  260. {
  261. struct curl_ssl_session *check;
  262. struct Curl_easy *data = conn->data;
  263. size_t i;
  264. long *general_age;
  265. bool no_match = TRUE;
  266. const bool isProxy = CONNECT_PROXY_SSL();
  267. struct ssl_primary_config * const ssl_config = isProxy ?
  268. &conn->proxy_ssl_config :
  269. &conn->ssl_config;
  270. const char * const name = isProxy ? conn->http_proxy.host.name :
  271. conn->host.name;
  272. int port = isProxy ? (int)conn->port : conn->remote_port;
  273. *ssl_sessionid = NULL;
  274. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  275. if(!SSL_SET_OPTION(primary.sessionid))
  276. /* session ID re-use is disabled */
  277. return TRUE;
  278. /* Lock if shared */
  279. if(SSLSESSION_SHARED(data))
  280. general_age = &data->share->sessionage;
  281. else
  282. general_age = &data->state.sessionage;
  283. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  284. check = &data->state.session[i];
  285. if(!check->sessionid)
  286. /* not session ID means blank entry */
  287. continue;
  288. if(strcasecompare(name, check->name) &&
  289. ((!conn->bits.conn_to_host && !check->conn_to_host) ||
  290. (conn->bits.conn_to_host && check->conn_to_host &&
  291. strcasecompare(conn->conn_to_host.name, check->conn_to_host))) &&
  292. ((!conn->bits.conn_to_port && check->conn_to_port == -1) ||
  293. (conn->bits.conn_to_port && check->conn_to_port != -1 &&
  294. conn->conn_to_port == check->conn_to_port)) &&
  295. (port == check->remote_port) &&
  296. strcasecompare(conn->handler->scheme, check->scheme) &&
  297. Curl_ssl_config_matches(ssl_config, &check->ssl_config)) {
  298. /* yes, we have a session ID! */
  299. (*general_age)++; /* increase general age */
  300. check->age = *general_age; /* set this as used in this age */
  301. *ssl_sessionid = check->sessionid;
  302. if(idsize)
  303. *idsize = check->idsize;
  304. no_match = FALSE;
  305. break;
  306. }
  307. }
  308. return no_match;
  309. }
  310. /*
  311. * Kill a single session ID entry in the cache.
  312. */
  313. void Curl_ssl_kill_session(struct curl_ssl_session *session)
  314. {
  315. if(session->sessionid) {
  316. /* defensive check */
  317. /* free the ID the SSL-layer specific way */
  318. Curl_ssl->session_free(session->sessionid);
  319. session->sessionid = NULL;
  320. session->age = 0; /* fresh */
  321. Curl_free_primary_ssl_config(&session->ssl_config);
  322. Curl_safefree(session->name);
  323. Curl_safefree(session->conn_to_host);
  324. }
  325. }
  326. /*
  327. * Delete the given session ID from the cache.
  328. */
  329. void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
  330. {
  331. size_t i;
  332. struct Curl_easy *data = conn->data;
  333. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  334. struct curl_ssl_session *check = &data->state.session[i];
  335. if(check->sessionid == ssl_sessionid) {
  336. Curl_ssl_kill_session(check);
  337. break;
  338. }
  339. }
  340. }
  341. /*
  342. * Store session id in the session cache. The ID passed on to this function
  343. * must already have been extracted and allocated the proper way for the SSL
  344. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  345. * later on.
  346. */
  347. CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
  348. void *ssl_sessionid,
  349. size_t idsize,
  350. int sockindex)
  351. {
  352. size_t i;
  353. struct Curl_easy *data = conn->data; /* the mother of all structs */
  354. struct curl_ssl_session *store = &data->state.session[0];
  355. long oldest_age = data->state.session[0].age; /* zero if unused */
  356. char *clone_host;
  357. char *clone_conn_to_host;
  358. int conn_to_port;
  359. long *general_age;
  360. const bool isProxy = CONNECT_PROXY_SSL();
  361. struct ssl_primary_config * const ssl_config = isProxy ?
  362. &conn->proxy_ssl_config :
  363. &conn->ssl_config;
  364. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  365. clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
  366. if(!clone_host)
  367. return CURLE_OUT_OF_MEMORY; /* bail out */
  368. if(conn->bits.conn_to_host) {
  369. clone_conn_to_host = strdup(conn->conn_to_host.name);
  370. if(!clone_conn_to_host) {
  371. free(clone_host);
  372. return CURLE_OUT_OF_MEMORY; /* bail out */
  373. }
  374. }
  375. else
  376. clone_conn_to_host = NULL;
  377. if(conn->bits.conn_to_port)
  378. conn_to_port = conn->conn_to_port;
  379. else
  380. conn_to_port = -1;
  381. /* Now we should add the session ID and the host name to the cache, (remove
  382. the oldest if necessary) */
  383. /* If using shared SSL session, lock! */
  384. if(SSLSESSION_SHARED(data)) {
  385. general_age = &data->share->sessionage;
  386. }
  387. else {
  388. general_age = &data->state.sessionage;
  389. }
  390. /* find an empty slot for us, or find the oldest */
  391. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  392. data->state.session[i].sessionid; i++) {
  393. if(data->state.session[i].age < oldest_age) {
  394. oldest_age = data->state.session[i].age;
  395. store = &data->state.session[i];
  396. }
  397. }
  398. if(i == data->set.general_ssl.max_ssl_sessions)
  399. /* cache is full, we must "kill" the oldest entry! */
  400. Curl_ssl_kill_session(store);
  401. else
  402. store = &data->state.session[i]; /* use this slot */
  403. /* now init the session struct wisely */
  404. store->sessionid = ssl_sessionid;
  405. store->idsize = idsize;
  406. store->age = *general_age; /* set current age */
  407. /* free it if there's one already present */
  408. free(store->name);
  409. free(store->conn_to_host);
  410. store->name = clone_host; /* clone host name */
  411. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  412. store->conn_to_port = conn_to_port; /* connect to port number */
  413. /* port number */
  414. store->remote_port = isProxy ? (int)conn->port : conn->remote_port;
  415. store->scheme = conn->handler->scheme;
  416. if(!Curl_clone_primary_ssl_config(ssl_config, &store->ssl_config)) {
  417. store->sessionid = NULL; /* let caller free sessionid */
  418. free(clone_host);
  419. free(clone_conn_to_host);
  420. return CURLE_OUT_OF_MEMORY;
  421. }
  422. return CURLE_OK;
  423. }
  424. void Curl_ssl_close_all(struct Curl_easy *data)
  425. {
  426. size_t i;
  427. /* kill the session ID cache if not shared */
  428. if(data->state.session && !SSLSESSION_SHARED(data)) {
  429. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  430. /* the single-killer function handles empty table slots */
  431. Curl_ssl_kill_session(&data->state.session[i]);
  432. /* free the cache data */
  433. Curl_safefree(data->state.session);
  434. }
  435. Curl_ssl->close_all(data);
  436. }
  437. #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
  438. defined(USE_SECTRANSP) || defined(USE_POLARSSL) || defined(USE_NSS) || \
  439. defined(USE_MBEDTLS) || defined(USE_CYASSL)
  440. int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
  441. int numsocks)
  442. {
  443. struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
  444. if(!numsocks)
  445. return GETSOCK_BLANK;
  446. if(connssl->connecting_state == ssl_connect_2_writing) {
  447. /* write mode */
  448. socks[0] = conn->sock[FIRSTSOCKET];
  449. return GETSOCK_WRITESOCK(0);
  450. }
  451. if(connssl->connecting_state == ssl_connect_2_reading) {
  452. /* read mode */
  453. socks[0] = conn->sock[FIRSTSOCKET];
  454. return GETSOCK_READSOCK(0);
  455. }
  456. return GETSOCK_BLANK;
  457. }
  458. #else
  459. int Curl_ssl_getsock(struct connectdata *conn,
  460. curl_socket_t *socks,
  461. int numsocks)
  462. {
  463. (void)conn;
  464. (void)socks;
  465. (void)numsocks;
  466. return GETSOCK_BLANK;
  467. }
  468. /* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */
  469. #endif
  470. void Curl_ssl_close(struct connectdata *conn, int sockindex)
  471. {
  472. DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
  473. Curl_ssl->close_one(conn, sockindex);
  474. }
  475. CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
  476. {
  477. if(Curl_ssl->shut_down(conn, sockindex))
  478. return CURLE_SSL_SHUTDOWN_FAILED;
  479. conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
  480. conn->ssl[sockindex].state = ssl_connection_none;
  481. conn->recv[sockindex] = Curl_recv_plain;
  482. conn->send[sockindex] = Curl_send_plain;
  483. return CURLE_OK;
  484. }
  485. /* Selects an SSL crypto engine
  486. */
  487. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  488. {
  489. return Curl_ssl->set_engine(data, engine);
  490. }
  491. /* Selects the default SSL crypto engine
  492. */
  493. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  494. {
  495. return Curl_ssl->set_engine_default(data);
  496. }
  497. /* Return list of OpenSSL crypto engine names. */
  498. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  499. {
  500. return Curl_ssl->engines_list(data);
  501. }
  502. /*
  503. * This sets up a session ID cache to the specified size. Make sure this code
  504. * is agnostic to what underlying SSL technology we use.
  505. */
  506. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  507. {
  508. struct curl_ssl_session *session;
  509. if(data->state.session)
  510. /* this is just a precaution to prevent multiple inits */
  511. return CURLE_OK;
  512. session = calloc(amount, sizeof(struct curl_ssl_session));
  513. if(!session)
  514. return CURLE_OUT_OF_MEMORY;
  515. /* store the info in the SSL section */
  516. data->set.general_ssl.max_ssl_sessions = amount;
  517. data->state.session = session;
  518. data->state.sessionage = 1; /* this is brand new */
  519. return CURLE_OK;
  520. }
  521. static size_t Curl_multissl_version(char *buffer, size_t size);
  522. size_t Curl_ssl_version(char *buffer, size_t size)
  523. {
  524. #ifdef CURL_WITH_MULTI_SSL
  525. return Curl_multissl_version(buffer, size);
  526. #else
  527. return Curl_ssl->version(buffer, size);
  528. #endif
  529. }
  530. /*
  531. * This function tries to determine connection status.
  532. *
  533. * Return codes:
  534. * 1 means the connection is still in place
  535. * 0 means the connection has been closed
  536. * -1 means the connection status is unknown
  537. */
  538. int Curl_ssl_check_cxn(struct connectdata *conn)
  539. {
  540. return Curl_ssl->check_cxn(conn);
  541. }
  542. bool Curl_ssl_data_pending(const struct connectdata *conn,
  543. int connindex)
  544. {
  545. return Curl_ssl->data_pending(conn, connindex);
  546. }
  547. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  548. {
  549. int i;
  550. struct curl_certinfo *ci = &data->info.certs;
  551. if(ci->num_of_certs) {
  552. /* free all individual lists used */
  553. for(i = 0; i<ci->num_of_certs; i++) {
  554. curl_slist_free_all(ci->certinfo[i]);
  555. ci->certinfo[i] = NULL;
  556. }
  557. free(ci->certinfo); /* free the actual array too */
  558. ci->certinfo = NULL;
  559. ci->num_of_certs = 0;
  560. }
  561. }
  562. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  563. {
  564. struct curl_certinfo *ci = &data->info.certs;
  565. struct curl_slist **table;
  566. /* Free any previous certificate information structures */
  567. Curl_ssl_free_certinfo(data);
  568. /* Allocate the required certificate information structures */
  569. table = calloc((size_t) num, sizeof(struct curl_slist *));
  570. if(!table)
  571. return CURLE_OUT_OF_MEMORY;
  572. ci->num_of_certs = num;
  573. ci->certinfo = table;
  574. return CURLE_OK;
  575. }
  576. /*
  577. * 'value' is NOT a zero terminated string
  578. */
  579. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  580. int certnum,
  581. const char *label,
  582. const char *value,
  583. size_t valuelen)
  584. {
  585. struct curl_certinfo *ci = &data->info.certs;
  586. char *output;
  587. struct curl_slist *nl;
  588. CURLcode result = CURLE_OK;
  589. size_t labellen = strlen(label);
  590. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  591. output = malloc(outlen);
  592. if(!output)
  593. return CURLE_OUT_OF_MEMORY;
  594. /* sprintf the label and colon */
  595. msnprintf(output, outlen, "%s:", label);
  596. /* memcpy the value (it might not be zero terminated) */
  597. memcpy(&output[labellen + 1], value, valuelen);
  598. /* zero terminate the output */
  599. output[labellen + 1 + valuelen] = 0;
  600. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  601. if(!nl) {
  602. free(output);
  603. curl_slist_free_all(ci->certinfo[certnum]);
  604. result = CURLE_OUT_OF_MEMORY;
  605. }
  606. ci->certinfo[certnum] = nl;
  607. return result;
  608. }
  609. /*
  610. * This is a convenience function for push_certinfo_len that takes a zero
  611. * terminated value.
  612. */
  613. CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data,
  614. int certnum,
  615. const char *label,
  616. const char *value)
  617. {
  618. size_t valuelen = strlen(value);
  619. return Curl_ssl_push_certinfo_len(data, certnum, label, value, valuelen);
  620. }
  621. CURLcode Curl_ssl_random(struct Curl_easy *data,
  622. unsigned char *entropy,
  623. size_t length)
  624. {
  625. return Curl_ssl->random(data, entropy, length);
  626. }
  627. /*
  628. * Public key pem to der conversion
  629. */
  630. static CURLcode pubkey_pem_to_der(const char *pem,
  631. unsigned char **der, size_t *der_len)
  632. {
  633. char *stripped_pem, *begin_pos, *end_pos;
  634. size_t pem_count, stripped_pem_count = 0, pem_len;
  635. CURLcode result;
  636. /* if no pem, exit. */
  637. if(!pem)
  638. return CURLE_BAD_CONTENT_ENCODING;
  639. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  640. if(!begin_pos)
  641. return CURLE_BAD_CONTENT_ENCODING;
  642. pem_count = begin_pos - pem;
  643. /* Invalid if not at beginning AND not directly following \n */
  644. if(0 != pem_count && '\n' != pem[pem_count - 1])
  645. return CURLE_BAD_CONTENT_ENCODING;
  646. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  647. pem_count += 26;
  648. /* Invalid if not directly following \n */
  649. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  650. if(!end_pos)
  651. return CURLE_BAD_CONTENT_ENCODING;
  652. pem_len = end_pos - pem;
  653. stripped_pem = malloc(pem_len - pem_count + 1);
  654. if(!stripped_pem)
  655. return CURLE_OUT_OF_MEMORY;
  656. /*
  657. * Here we loop through the pem array one character at a time between the
  658. * correct indices, and place each character that is not '\n' or '\r'
  659. * into the stripped_pem array, which should represent the raw base64 string
  660. */
  661. while(pem_count < pem_len) {
  662. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  663. stripped_pem[stripped_pem_count++] = pem[pem_count];
  664. ++pem_count;
  665. }
  666. /* Place the null terminator in the correct place */
  667. stripped_pem[stripped_pem_count] = '\0';
  668. result = Curl_base64_decode(stripped_pem, der, der_len);
  669. Curl_safefree(stripped_pem);
  670. return result;
  671. }
  672. /*
  673. * Generic pinned public key check.
  674. */
  675. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  676. const char *pinnedpubkey,
  677. const unsigned char *pubkey, size_t pubkeylen)
  678. {
  679. FILE *fp;
  680. unsigned char *buf = NULL, *pem_ptr = NULL;
  681. long filesize;
  682. size_t size, pem_len;
  683. CURLcode pem_read;
  684. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  685. CURLcode encode;
  686. size_t encodedlen, pinkeylen;
  687. char *encoded, *pinkeycopy, *begin_pos, *end_pos;
  688. unsigned char *sha256sumdigest = NULL;
  689. /* if a path wasn't specified, don't pin */
  690. if(!pinnedpubkey)
  691. return CURLE_OK;
  692. if(!pubkey || !pubkeylen)
  693. return result;
  694. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  695. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  696. if(!Curl_ssl->sha256sum) {
  697. /* without sha256 support, this cannot match */
  698. return result;
  699. }
  700. /* compute sha256sum of public key */
  701. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  702. if(!sha256sumdigest)
  703. return CURLE_OUT_OF_MEMORY;
  704. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  705. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  706. if(encode != CURLE_OK)
  707. return encode;
  708. encode = Curl_base64_encode(data, (char *)sha256sumdigest,
  709. CURL_SHA256_DIGEST_LENGTH, &encoded,
  710. &encodedlen);
  711. Curl_safefree(sha256sumdigest);
  712. if(encode)
  713. return encode;
  714. infof(data, "\t public key hash: sha256//%s\n", encoded);
  715. /* it starts with sha256//, copy so we can modify it */
  716. pinkeylen = strlen(pinnedpubkey) + 1;
  717. pinkeycopy = malloc(pinkeylen);
  718. if(!pinkeycopy) {
  719. Curl_safefree(encoded);
  720. return CURLE_OUT_OF_MEMORY;
  721. }
  722. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  723. /* point begin_pos to the copy, and start extracting keys */
  724. begin_pos = pinkeycopy;
  725. do {
  726. end_pos = strstr(begin_pos, ";sha256//");
  727. /*
  728. * if there is an end_pos, null terminate,
  729. * otherwise it'll go to the end of the original string
  730. */
  731. if(end_pos)
  732. end_pos[0] = '\0';
  733. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  734. if(encodedlen == strlen(begin_pos + 8) &&
  735. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  736. result = CURLE_OK;
  737. break;
  738. }
  739. /*
  740. * change back the null-terminator we changed earlier,
  741. * and look for next begin
  742. */
  743. if(end_pos) {
  744. end_pos[0] = ';';
  745. begin_pos = strstr(end_pos, "sha256//");
  746. }
  747. } while(end_pos && begin_pos);
  748. Curl_safefree(encoded);
  749. Curl_safefree(pinkeycopy);
  750. return result;
  751. }
  752. fp = fopen(pinnedpubkey, "rb");
  753. if(!fp)
  754. return result;
  755. do {
  756. /* Determine the file's size */
  757. if(fseek(fp, 0, SEEK_END))
  758. break;
  759. filesize = ftell(fp);
  760. if(fseek(fp, 0, SEEK_SET))
  761. break;
  762. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  763. break;
  764. /*
  765. * if the size of our certificate is bigger than the file
  766. * size then it can't match
  767. */
  768. size = curlx_sotouz((curl_off_t) filesize);
  769. if(pubkeylen > size)
  770. break;
  771. /*
  772. * Allocate buffer for the pinned key
  773. * With 1 additional byte for null terminator in case of PEM key
  774. */
  775. buf = malloc(size + 1);
  776. if(!buf)
  777. break;
  778. /* Returns number of elements read, which should be 1 */
  779. if((int) fread(buf, size, 1, fp) != 1)
  780. break;
  781. /* If the sizes are the same, it can't be base64 encoded, must be der */
  782. if(pubkeylen == size) {
  783. if(!memcmp(pubkey, buf, pubkeylen))
  784. result = CURLE_OK;
  785. break;
  786. }
  787. /*
  788. * Otherwise we will assume it's PEM and try to decode it
  789. * after placing null terminator
  790. */
  791. buf[size] = '\0';
  792. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  793. /* if it wasn't read successfully, exit */
  794. if(pem_read)
  795. break;
  796. /*
  797. * if the size of our certificate doesn't match the size of
  798. * the decoded file, they can't be the same, otherwise compare
  799. */
  800. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  801. result = CURLE_OK;
  802. } while(0);
  803. Curl_safefree(buf);
  804. Curl_safefree(pem_ptr);
  805. fclose(fp);
  806. return result;
  807. }
  808. #ifndef CURL_DISABLE_CRYPTO_AUTH
  809. CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */
  810. size_t tmplen,
  811. unsigned char *md5sum, /* output */
  812. size_t md5len)
  813. {
  814. return Curl_ssl->md5sum(tmp, tmplen, md5sum, md5len);
  815. }
  816. #endif
  817. /*
  818. * Check whether the SSL backend supports the status_request extension.
  819. */
  820. bool Curl_ssl_cert_status_request(void)
  821. {
  822. return Curl_ssl->cert_status_request();
  823. }
  824. /*
  825. * Check whether the SSL backend supports false start.
  826. */
  827. bool Curl_ssl_false_start(void)
  828. {
  829. return Curl_ssl->false_start();
  830. }
  831. /*
  832. * Check whether the SSL backend supports setting TLS 1.3 cipher suites
  833. */
  834. bool Curl_ssl_tls13_ciphersuites(void)
  835. {
  836. return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
  837. }
  838. /*
  839. * Default implementations for unsupported functions.
  840. */
  841. int Curl_none_init(void)
  842. {
  843. return 1;
  844. }
  845. void Curl_none_cleanup(void)
  846. { }
  847. int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM,
  848. int sockindex UNUSED_PARAM)
  849. {
  850. (void)conn;
  851. (void)sockindex;
  852. return 0;
  853. }
  854. int Curl_none_check_cxn(struct connectdata *conn UNUSED_PARAM)
  855. {
  856. (void)conn;
  857. return -1;
  858. }
  859. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  860. unsigned char *entropy UNUSED_PARAM,
  861. size_t length UNUSED_PARAM)
  862. {
  863. (void)data;
  864. (void)entropy;
  865. (void)length;
  866. return CURLE_NOT_BUILT_IN;
  867. }
  868. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  869. {
  870. (void)data;
  871. }
  872. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  873. {
  874. (void)ptr;
  875. }
  876. bool Curl_none_data_pending(const struct connectdata *conn UNUSED_PARAM,
  877. int connindex UNUSED_PARAM)
  878. {
  879. (void)conn;
  880. (void)connindex;
  881. return 0;
  882. }
  883. bool Curl_none_cert_status_request(void)
  884. {
  885. return FALSE;
  886. }
  887. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  888. const char *engine UNUSED_PARAM)
  889. {
  890. (void)data;
  891. (void)engine;
  892. return CURLE_NOT_BUILT_IN;
  893. }
  894. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  895. {
  896. (void)data;
  897. return CURLE_NOT_BUILT_IN;
  898. }
  899. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  900. {
  901. (void)data;
  902. return (struct curl_slist *)NULL;
  903. }
  904. bool Curl_none_false_start(void)
  905. {
  906. return FALSE;
  907. }
  908. #ifndef CURL_DISABLE_CRYPTO_AUTH
  909. CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
  910. unsigned char *md5sum, size_t md5len UNUSED_PARAM)
  911. {
  912. MD5_context *MD5pw;
  913. (void)md5len;
  914. MD5pw = Curl_MD5_init(Curl_DIGEST_MD5);
  915. if(!MD5pw)
  916. return CURLE_OUT_OF_MEMORY;
  917. Curl_MD5_update(MD5pw, input, curlx_uztoui(inputlen));
  918. Curl_MD5_final(MD5pw, md5sum);
  919. return CURLE_OK;
  920. }
  921. #else
  922. CURLcode Curl_none_md5sum(unsigned char *input UNUSED_PARAM,
  923. size_t inputlen UNUSED_PARAM,
  924. unsigned char *md5sum UNUSED_PARAM,
  925. size_t md5len UNUSED_PARAM)
  926. {
  927. (void)input;
  928. (void)inputlen;
  929. (void)md5sum;
  930. (void)md5len;
  931. return CURLE_NOT_BUILT_IN;
  932. }
  933. #endif
  934. static int Curl_multissl_init(void)
  935. {
  936. if(multissl_init(NULL))
  937. return 1;
  938. return Curl_ssl->init();
  939. }
  940. static CURLcode Curl_multissl_connect(struct connectdata *conn, int sockindex)
  941. {
  942. if(multissl_init(NULL))
  943. return CURLE_FAILED_INIT;
  944. return Curl_ssl->connect_blocking(conn, sockindex);
  945. }
  946. static CURLcode Curl_multissl_connect_nonblocking(struct connectdata *conn,
  947. int sockindex, bool *done)
  948. {
  949. if(multissl_init(NULL))
  950. return CURLE_FAILED_INIT;
  951. return Curl_ssl->connect_nonblocking(conn, sockindex, done);
  952. }
  953. static void *Curl_multissl_get_internals(struct ssl_connect_data *connssl,
  954. CURLINFO info)
  955. {
  956. if(multissl_init(NULL))
  957. return NULL;
  958. return Curl_ssl->get_internals(connssl, info);
  959. }
  960. static void Curl_multissl_close(struct connectdata *conn, int sockindex)
  961. {
  962. if(multissl_init(NULL))
  963. return;
  964. Curl_ssl->close_one(conn, sockindex);
  965. }
  966. static const struct Curl_ssl Curl_ssl_multi = {
  967. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  968. 0, /* supports nothing */
  969. (size_t)-1, /* something insanely large to be on the safe side */
  970. Curl_multissl_init, /* init */
  971. Curl_none_cleanup, /* cleanup */
  972. Curl_multissl_version, /* version */
  973. Curl_none_check_cxn, /* check_cxn */
  974. Curl_none_shutdown, /* shutdown */
  975. Curl_none_data_pending, /* data_pending */
  976. Curl_none_random, /* random */
  977. Curl_none_cert_status_request, /* cert_status_request */
  978. Curl_multissl_connect, /* connect */
  979. Curl_multissl_connect_nonblocking, /* connect_nonblocking */
  980. Curl_multissl_get_internals, /* get_internals */
  981. Curl_multissl_close, /* close_one */
  982. Curl_none_close_all, /* close_all */
  983. Curl_none_session_free, /* session_free */
  984. Curl_none_set_engine, /* set_engine */
  985. Curl_none_set_engine_default, /* set_engine_default */
  986. Curl_none_engines_list, /* engines_list */
  987. Curl_none_false_start, /* false_start */
  988. Curl_none_md5sum, /* md5sum */
  989. NULL /* sha256sum */
  990. };
  991. const struct Curl_ssl *Curl_ssl =
  992. #if defined(CURL_WITH_MULTI_SSL)
  993. &Curl_ssl_multi;
  994. #elif defined(USE_CYASSL)
  995. &Curl_ssl_cyassl;
  996. #elif defined(USE_SECTRANSP)
  997. &Curl_ssl_sectransp;
  998. #elif defined(USE_GNUTLS)
  999. &Curl_ssl_gnutls;
  1000. #elif defined(USE_GSKIT)
  1001. &Curl_ssl_gskit;
  1002. #elif defined(USE_MBEDTLS)
  1003. &Curl_ssl_mbedtls;
  1004. #elif defined(USE_NSS)
  1005. &Curl_ssl_nss;
  1006. #elif defined(USE_OPENSSL)
  1007. &Curl_ssl_openssl;
  1008. #elif defined(USE_POLARSSL)
  1009. &Curl_ssl_polarssl;
  1010. #elif defined(USE_SCHANNEL)
  1011. &Curl_ssl_schannel;
  1012. #elif defined(USE_MESALINK)
  1013. &Curl_ssl_mesalink;
  1014. #else
  1015. #error "Missing struct Curl_ssl for selected SSL backend"
  1016. #endif
  1017. static const struct Curl_ssl *available_backends[] = {
  1018. #if defined(USE_CYASSL)
  1019. &Curl_ssl_cyassl,
  1020. #endif
  1021. #if defined(USE_SECTRANSP)
  1022. &Curl_ssl_sectransp,
  1023. #endif
  1024. #if defined(USE_GNUTLS)
  1025. &Curl_ssl_gnutls,
  1026. #endif
  1027. #if defined(USE_GSKIT)
  1028. &Curl_ssl_gskit,
  1029. #endif
  1030. #if defined(USE_MBEDTLS)
  1031. &Curl_ssl_mbedtls,
  1032. #endif
  1033. #if defined(USE_NSS)
  1034. &Curl_ssl_nss,
  1035. #endif
  1036. #if defined(USE_OPENSSL)
  1037. &Curl_ssl_openssl,
  1038. #endif
  1039. #if defined(USE_POLARSSL)
  1040. &Curl_ssl_polarssl,
  1041. #endif
  1042. #if defined(USE_SCHANNEL)
  1043. &Curl_ssl_schannel,
  1044. #endif
  1045. #if defined(USE_MESALINK)
  1046. &Curl_ssl_mesalink,
  1047. #endif
  1048. NULL
  1049. };
  1050. static size_t Curl_multissl_version(char *buffer, size_t size)
  1051. {
  1052. static const struct Curl_ssl *selected;
  1053. static char backends[200];
  1054. static size_t total;
  1055. const struct Curl_ssl *current;
  1056. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1057. if(current != selected) {
  1058. char *p = backends;
  1059. int i;
  1060. selected = current;
  1061. for(i = 0; available_backends[i]; i++) {
  1062. if(i)
  1063. *(p++) = ' ';
  1064. if(selected != available_backends[i])
  1065. *(p++) = '(';
  1066. p += available_backends[i]->version(p, backends + sizeof(backends) - p);
  1067. if(selected != available_backends[i])
  1068. *(p++) = ')';
  1069. }
  1070. *p = '\0';
  1071. total = p - backends;
  1072. }
  1073. if(size < total)
  1074. memcpy(buffer, backends, total + 1);
  1075. else {
  1076. memcpy(buffer, backends, size - 1);
  1077. buffer[size - 1] = '\0';
  1078. }
  1079. return total;
  1080. }
  1081. static int multissl_init(const struct Curl_ssl *backend)
  1082. {
  1083. const char *env;
  1084. char *env_tmp;
  1085. int i;
  1086. if(Curl_ssl != &Curl_ssl_multi)
  1087. return 1;
  1088. if(backend) {
  1089. Curl_ssl = backend;
  1090. return 0;
  1091. }
  1092. if(!available_backends[0])
  1093. return 1;
  1094. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1095. #ifdef CURL_DEFAULT_SSL_BACKEND
  1096. if(!env)
  1097. env = CURL_DEFAULT_SSL_BACKEND;
  1098. #endif
  1099. if(env) {
  1100. for(i = 0; available_backends[i]; i++) {
  1101. if(strcasecompare(env, available_backends[i]->info.name)) {
  1102. Curl_ssl = available_backends[i];
  1103. curl_free(env_tmp);
  1104. return 0;
  1105. }
  1106. }
  1107. }
  1108. /* Fall back to first available backend */
  1109. Curl_ssl = available_backends[0];
  1110. curl_free(env_tmp);
  1111. return 0;
  1112. }
  1113. CURLsslset curl_global_sslset(curl_sslbackend id, const char *name,
  1114. const curl_ssl_backend ***avail)
  1115. {
  1116. int i;
  1117. if(avail)
  1118. *avail = (const curl_ssl_backend **)&available_backends;
  1119. if(Curl_ssl != &Curl_ssl_multi)
  1120. return id == Curl_ssl->info.id ||
  1121. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1122. CURLSSLSET_OK :
  1123. #if defined(CURL_WITH_MULTI_SSL)
  1124. CURLSSLSET_TOO_LATE;
  1125. #else
  1126. CURLSSLSET_UNKNOWN_BACKEND;
  1127. #endif
  1128. for(i = 0; available_backends[i]; i++) {
  1129. if(available_backends[i]->info.id == id ||
  1130. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1131. multissl_init(available_backends[i]);
  1132. return CURLSSLSET_OK;
  1133. }
  1134. }
  1135. return CURLSSLSET_UNKNOWN_BACKEND;
  1136. }
  1137. #else /* USE_SSL */
  1138. CURLsslset curl_global_sslset(curl_sslbackend id, const char *name,
  1139. const curl_ssl_backend ***avail)
  1140. {
  1141. (void)id;
  1142. (void)name;
  1143. (void)avail;
  1144. return CURLSSLSET_NO_BACKENDS;
  1145. }
  1146. #endif /* !USE_SSL */